On Thu, Sep 5, 2013 at 3:38 AM, <[email protected]> wrote: > what i basically want is that a firewall drop is executed on the host that > originates the alert and if the alert is part of defined groups and level 6 > or higher. > > initially i had 1 active response block with all agents seperated by comma's > in the <agent_id> field , initially this worked but after recompiling for > geoip this gave errors on the server. now it is configured as you see below >
Ok, so it did block on all of the systems correctly? You just didn't get alerts that these blocks were put in place? Are you sure active-response.log or whatever it being monitored on all of the agents? > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > > > <active-response> > <command>firewall-drop</command> > <location>defined-agent</location> > <agent_id>005</agent_id> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
